Puter is an open-source web-based operating system with 4,024 analyzed functions, 391 of which score in the critical band. The single highest-risk function, UIWindow in src/gui/src/UI/UIWindow.js, sits in the ‘fire’ quadrant with a recent commit activity of 20.2 and a cyclomatic complexity of 190 — meaning it is both structurally extreme and actively changing right now, making it a live regression risk rather than a background cleanup item. The risk is concentrated in the GUI layer, where all five top hotspots reside and every one of them is in the ‘fire’ quadrant.
The table below ranks functions by activity-weighted risk — a score that multiplies structural complexity by recent commit frequency. A function that is both hard to understand (high cyclomatic complexity) and actively changing is a higher priority than one that is complex but untouched. CC = cyclomatic complexity (independent execution paths); ND = max nesting depth; FO = fan-out (distinct callees).
Top 5 Hotspots
| Function | File | Risk | CC | ND | FO |
|---|---|---|---|---|---|
UIWindow | src/gui/src/UI/UIWindow.js | 28.1 | 190 | 9 | 205 |
UIItem | src/gui/src/UI/UIItem.js | 20.5 | 137 | 7 | 138 |
createItemListeners | src/gui/src/UI/Dashboard/TabFiles.js | 20.4 | 62 | 7 | 96 |
<anonymous> | src/gui/src/helpers/item_icon.js | 19.8 | 61 | 31 | 12 |
edit_app_section | src/dev-center/js/apps.js | 19.6 | 20 | 10 | 50 |
Hotspot Analysis
UIWindow — src/gui/src/UI/UIWindow.js
UIWindow almost certainly handles the construction, configuration, and lifecycle of the core desktop window abstraction — the foundational UI primitive that everything else renders inside. Its cyclomatic complexity of 190 means there are at least 190 independent execution paths through it, each a required test case and a potential bug surface; its max nesting depth of 9 makes those paths extremely hard to reason about locally. Most critically, its fan-out of 205 — 205 distinct functions called from a single function — combined with a recent commit activity of 20.2 in the ‘fire’ quadrant means any commit touching UIWindow right now ripples across an enormous surface area under active development, making it a live regression risk on every push.
Recommendation: Before the next feature lands in UIWindow, add characterization tests that lock down observable behavior across its major branching paths, then begin extract-method refactoring to pull distinct responsibilities (e.g. event binding, DOM construction, lifecycle hooks) into cohesive sub-functions, targeting a fan-out reduction below 50 as a first milestone.
UIItem — src/gui/src/UI/UIItem.js
UIItem likely handles the rendering and interaction logic for individual filesystem items displayed in the GUI — files, folders, and shortcuts in the desktop environment. With a cyclomatic complexity of 137 and a max nesting depth of 7, it carries an enormous branching surface that signals deep conditional logic around item types, states, and user interactions. Its fan-out of 138 and recent commit activity of 19.4 place it firmly in the ‘fire’ quadrant alongside UIWindow, meaning structural complexity and active churn are compounding each other in real time.
Recommendation: Map UIItem’s 138 callees to identify which sub-concerns can be extracted into dedicated handlers — item-type rendering, context-menu logic, and drag-and-drop behavior are likely candidates — and introduce unit tests for each extracted unit before touching the core function further.
createItemListeners — src/gui/src/UI/Dashboard/TabFiles.js
createItemListeners, located in the Dashboard’s TabFiles component, almost certainly wires up event listeners for file items displayed in the tab — covering clicks, double-clicks, drags, and keyboard interactions across a range of item states. Its cyclomatic complexity of 62 and max nesting depth of 7 indicate a dense web of conditional event-handling logic, while a fan-out of 96 means it reaches into nearly as many external functions as UIItem despite being scoped to a single tab component. With a recent commit activity of 19.38 in the ‘fire’ quadrant, this function is being actively changed through the same development window as UIWindow and UIItem, concentrating live regression risk across the entire file-browsing interaction model.
Recommendation: Decompose createItemListeners by event type — each discrete interaction (selection, navigation, context menu, drag) should become its own named listener factory — reducing the function’s complexity and making individual event paths independently testable.
Patterns Found
Antipatterns detected across the top functions in this snapshot:
| Pattern | Occurrences |
|---|---|
god_function | 7 |
long_function | 7 |
complex_branching | 5 |
deeply_nested | 5 |
exit_heavy | 5 |
cyclic_hub | 1 |
hub_function | 1 |
These labels belong to two tiers — Tier 1 (structural): complex_branching, deeply_nested, exit_heavy, long_function, god_function. Tier 2 (relational/temporal): hub_function, cyclic_hub, middle_man, neighbor_risk, stale_complex, churn_magnet, shotgun_target, volatile_god.
Key Takeaways
- UIWindow (CC 190, fan-out 205, recent commit activity 20.2) is the single highest-priority refactoring target in the repo — add characterization tests before any further feature work lands in that file.
- All five critical hotspots are in the ‘fire’ quadrant, meaning Puter’s GUI layer is simultaneously the most structurally complex and most actively changing part of the codebase — risk is not distributed, it is concentrated.
- The anonymous function in src/gui/src/helpers/item_icon.js has a max nesting depth of 31 — the most extreme nesting value in the top hotspots — and should be extracted and flattened with early-return guard clauses to make its icon-resolution logic testable and reviewable.
Reproduce This Analysis
git clone https://github.com/HeyPuter/puter
cd puter
git checkout 3e21479f176fedd2d3dc9e18b5423351e1319efa
hotspots analyze . --mode snapshot --explain-patterns --forceTo run the same analysis on your own codebase, run hotspots analyze . --mode snapshot in any local git repo — no configuration required.
Hotspots highlights structural and activity risk — not “bad code.” Findings are a prioritization aid, not a bug predictor. Editorial policy →